The Human Factors of Security MisconfigurationsLet’s Fix the Weakest Link.

CONSTANZE DIETRICHLEXTA Consultants Group

[@WeddingTrash // constanze.dietrich@lexta.com]

77th RIPE Meeting, Plenary Session, 16 October 2018

Outline

1. The issue: Security Misconfigurations

2. The method: Empirical Approach

3. The results: a. Who?

b. What?

c. Why?

d. What else?

4. The implications: A few Ideas

Security Misconfigurations

WTF?

Security Misconfigurations

Security Misconfigurations

Security Misconfigurations

The Empirical Approach

(0. Presentation and Recruitment at SysAdmin Regular’s Table)

1. Interviews

2. Focus Group

(2.1. Presentation of the Preliminary Findings at RIPE 74)

3. Anonymous Online Survey

The Empirical Approach

(0. Presentation and Recruitment at Regular’s Table)

1. Interviews

2. Focus Group

(2.1. Presentation of the Preliminary Findings at RIPE 74)

3. Anonymous Online Survey

⇒ 221 valid Answers in 30 days

7

The Empirical Approach

(0. Presentation and Recruitment at SysAdmin Regular’s Table)

1. Interviews

2. Focus Group

(2.1. Presentation of the Preliminary Findings at RIPE 74)

3. Anonymous Online Survey

The Empirical Approach

⇒ 221 valid responses in 30 days

Who?

Who?

0

20

40

60

80

100

120

PLACE OF WORK

Who?

10 10

35

23

52

82

72

0

10

20

30

40

50

60

70

80

90

100

EDUCATION

10

75

83

43

9

1

0

10

20

30

40

50

60

70

80

90

100

AGE

5

2026

47

92

31

0

10

20

30

40

50

60

70

80

90

100

WORK EXPERIENCE

Who?

Who? JOBS

Who?

Who?

Who?

3,6

4,44,8

3,7

4,5

3,5 3,4 3,5

4,5

3,9

2,3

3,7

0,0

1,0

2,0

3,0

4,0

5,0

Emailaddresses of1,000 usersgot leaked.

Emailaddresses ofall 100,000users gotleaked.

Credit cardinformation of1000 usersgot leaked.

10employeesreport thedatabasedoes not

showyesterday'schanges.

The backupdoesn't

match theactual data.

100 userslose one hourof work done.

For one hour100

employeesare unable tologin to their

workstations.

100 usersreport theiraccounts

have beendisabled.

100 usersreport the

data they'reseeing isn't

theirs.

Work stationlogin data of

100employees is

stored in aphysicalfolder.

Thecorporate

mail serverfails to filter

certain spam.

10 non-operator

work stationshave

administratorrights.

ISSUE ASSESSMENTVARIANCE

What?

conf int avail riskSEVERITY

3,6

4,44,8

3,7

4,5

3,5 3,4 3,5

4,5

3,9

2,3

3,7

0

1

2

3

4

5

Emailaddresses of1,000 usersgot leaked.

Emailaddresses ofall 100,000users gotleaked.

Credit cardinformation of1000 usersgot leaked.

10employeesreport thedatabasedoes not

showyesterday'schanges.

The backupdoesn't

match theactual data.

100 userslose one hourof work done.

For one hour100

employeesare unable tologin to their

workstations.

100 usersreport theiraccounts

have beendisabled.

100 usersreport the

data they'reseeing isn't

theirs.

Work stationlogin data of

100employees is

stored in aphysicalfolder.

Thecorporate

mail serverfails to filter

certain spam.

10 non-operator

work stationshave

administratorrights.

ISSUE ASSESSMENTVARIANCE

What?

conf int avail riskSEVERITY

5 Critical; 4 High; 3 Medium; 2 Low; 1 Very low

3,6

4,44,8

3,7

4,5

3,5 3,4 3,5

4,5

3,9

2,3

3,7

0,0

1,0

2,0

3,0

4,0

5,0

Emailaddresses of1,000 usersgot leaked.

Emailaddresses ofall 100,000users gotleaked.

Credit cardinformation of1000 usersgot leaked.

10employeesreport thedatabasedoes not

showyesterday'schanges.

The backupdoesn't

match theactual data.

100 userslose one hourof work done.

For one hour100

employeesare unable tologin to their

workstations.

100 usersreport theiraccounts

have beendisabled.

100 usersreport the

data they'reseeing isn't

theirs.

Work stationlogin data of

100employees is

stored in aphysicalfolder.

Thecorporate

mail serverfails to filter

certain spam.

10 non-operator

work stationshave

administratorrights.

ISSUE ASSESSMENTVARIANCE

What?

conf int avail riskSEVERITY

What?

What?

220 operators have encountered security misconfigrations:

What?

196 operators made security misconfigurations

What?

What?

How?

57%

42%

31%

24%

13% 13%9%

2%

0%

10%

20%

30%

40%

50%

60%

HOW DID YOU COME ACROSS THOSE SMs?(BASED ON 143 RESPONSES)

How?

57%

42%

31%

24%

13% 13%9%

2%

0%

10%

20%

30%

40%

50%

60%

HOW DID YOU COME ACROSS THOSE SM‘S?(BASED ON 143 RESPONSES)

How?

57%

42%

31%

24%

13% 13%9%

2%

0%

10%

20%

30%

40%

50%

60%

HOW DID YOU COME ACROSS THOSE SM‘S?(BASED ON 143 RESPONSES)

Why?

Why?

Why?

What else?

What else?

“One incident gets your boss to improve security.

Two incidents gets their boss to improve security.

Three.... You get it, don't you?”

− respondent #120

What else?

-2 -1,5 -1 -0,5 0 0,5 1 1,5 2

OPINIONS

What else?

In my company we keep up with security standards.

My direct supervisor knows the amount of work I'm doing.

The obligation to report security incidents is often not taken serious.

Operators in management allow for more reasonable security-related business decisions.

My direct supervisor understands what I'm actually doing.

The general priority of security rises after a security incident has happened.

The threat of bad press after a security incident is what companies fear most.

The discovery of a security misconfiguration made me more cautious regarding security.

Blameless postmortems help to detect essential issues in corporate procedures.

I feel responsible for pointing out security issues to peers.

I feel responsible for keeping my operations secure.

Software or hardware being certified means it is secure.

They taught me how to take care of misconfigured systems in school.

Agility is more important than security.

In my company we have a budget for mistakes.

I trust all the tools and equipment we're using.

Too many things are configurable.

What else?

-2 -1,5 -1 -0,5 0 0,5 1 1,5 2

OPINIONS

In my company we keep up with security standards.

My direct supervisor knows the amount of work I'm doing.

The obligation to report security incidents is often not taken serious.

Operators in management allow for more reasonable security-related business decisions.

My direct supervisor understands what I'm actually doing.

The general priority of security rises after a security incident has happened.

The threat of bad press after a security incident is what companies fear most.

The discovery of a security misconfiguration made me more cautious regarding security.

Blameless postmortems help to detect essential issues in corporate procedures.

I feel responsible for pointing out security issues to peers.

I feel responsible for keeping my operations secure.

Software or hardware being certified means it is secure.

They taught me how to take care of misconfigured systems in school.

Agility is more important than security.

In my company we have a budget for mistakes.

I trust all the tools and equipment we're using.

Too many things are configurable.

ISP / IT Non-IT / Gov

A few ideas

Wait for it… Waaait for it…

A few ideas

1. Automation.

A few ideas

1. Automation.

2. Documentation.

A few ideas

1. Automation.

2. Documentation.

3. Clear (shared) responsibilities.

A few ideas

1. Automation.

2. Documentation.

3. Clear (shared) responsibilities.

4. Processes and procedures.

A few ideas

5. Troubleshooting courses for evolving operators.

“[In school] They only focus on installing and putting things

together. Unless you learn to become a car mechanic or so.

Where broken is the state you start with.”

− interviewee #11

A few ideas

6. Security incident “LARP” for management.

“Personally, I think some of them [the management]

should use type writers instead of computers.”

− respondent #54

A few ideas

7. Probability. Damage. Human Factors.

“Usually it’s a question of whether the risk assessment was

correct or needs adjustment, and following that sometimes

security measures are enhanced.”

− respondent #52

A few ideas

8. Honest error culture in companies.

“A slap on the hand and off you go.”

− respondent #210

The Human Factors of Security MisconfigurationsLet’s Fix the Weakest Link.

CONSTANZE DIETRICHLEXTA Consultants Group

[@WeddingTrash // constanze.dietrich@lexta.com]

77th RIPE Meeting, Plenary Session, 16 October 2018

1. Automation.

2. Documentation.

3. Clear responsibilities.

4. Processes and procedures.

5. Troubleshooting courses for evolving operators.

6. Security incident “fire drills” for management.

7. Probability. Damage. Human Factor.

8. Honest error culture in companies.

A few ideas